CIBA: Authentication Error Responses can't all be returned from the Backchannel Authentication Endpoint
Issue #81
resolved
These are the errors defined for the Authentication Error Response:
- invalid_request
- invalid_scope
- expired_token
- unauthorized_client
- access_denied
- unknown_user_id
However the access_denied error can't be returned from the Backchannel Authentication Endpoint as it will only occur after the OP has attempted to authenticate the user out of bounds on the authentication device.
The access_denied error should therefore be returned from the token endpoint for polling and notification callback modes.
For the delivery callback mode (formerly the notification mode), the error should be sent to the client notification endpoint.
Comments (6)
-
-
reporter
There was discussion that
access_deniedcould still be a valid error in the authentication error response as a user may have blanked blocked access to a certain type of client or the AS might make the decision on the users behalf. The spec should expand on the definition ofaccess_denied.However we agreed that it was also possible for an
access_deniederror to be returned from the token endpoint and that the spec should add this in. -
We should probably reconcile (at least for token endpoint error code registrations) the error codes defined in the (hopefully soon to be RFC) device flow https://tools.ietf.org/html/draft-ietf-oauth-device-flow-12#section-3.5 which does have an
access_deniedcode from the token endpoint. -
reporter
-
assigned issue to
Dave Tonge
-
assigned issue to
-
reporter
To discuss:
- expired_login_hint_token
- HTTP error codes (I've removed the 404 response)
Do we need this error and what should it be called. It was generically called
expired_tokenbut I think we've agreed that anid_token_hintcould be an expiredid_tokenso it doesn't make sense to apply the error toid_token_hints. -
- changed status to resolved
merged pull request
#26 - Log in to comment
yup